You can enable SSL for Drill in a secure or unsecure MapR cluster. SSL (Secure Sockets Layer), more recently called TLS,
is a security mechanism that encrypts data passed between the Drill client and Drillbit (server). SSL also provides one-way
authentication through which the Drill client verifies the identity of the Drillbit.

Before you start developing applications on MapR’s Converged Data Platform, consider how you will get the data onto the
platform, the format it will be stored in, the type of processing or modeling that is required, and how the data will
be accessed.

A MapR Ecosystem Pack (MEP) provides a set of ecosystem components that work together on one or more MapR cluster versions. Only one version of
each ecosystem component is available in each MEP. For example, only one version of Hive and one version of Spark is supported in a MEP.

The default security configuration uses MapR-SASL (tickets) for authentication, authorization, and encryption to automatically
secure the MapR cluster and ecosystem components when you install them manually or using the MapR Installer.

Impersonation allows a service to act on behalf of a client while performing the action requested by the client. By default,
user impersonation is disabled in Drill. You can configure user impersonation in the /opt/mapr/drill/drill-<version>/drill-override.conf file.

Drill supports authentication and encryption through the MapR Security (tickets) security mechanism. Authentication is
the process of establishing confidence of authenticity. Encryption is the process of converting information or data from
plain text into ciphertext to prevent unauthorized access. An administrator can manually configure Drill to use MapR Security.
When MapR Security is enabled, all Drill clients, such as JDBC and ODBC, must connect to Drillbits through MapR Security.

Drill on MapR supports Kerberos v5 network security authentication and encryption. Kerberos is a network authentication
protocol built on symmetric-key cryptography. Kerberos eliminates the need to store passwords locally or send them over
the network and reduces the risk of impersonation.

An administrator can configure Drill to use the Linux pluggable authentication module (PAM) for Plain (username and password)
authentication. PAM provides an authentication module that interfaces with any installed PAM authentication entity, such
as the local operating system password file (/etc/passwd) or LDAP.

You can enable SSL for Drill in a secure or unsecure MapR cluster. SSL (Secure Sockets Layer), more recently called TLS,
is a security mechanism that encrypts data passed between the Drill client and Drillbit (server). SSL also provides one-way
authentication through which the Drill client verifies the identity of the Drillbit.

When Drill is installed on MapR clusters with the default security enabled, authentication is enabled between the Drillbits
and ZooKeeper. The ZooKeeper znode information is secured automatically through authentication and znode ACLs. Communication
between the Drillbits and Zookeeper is not encrypted.

Drill 1.13 and later supports the Simple and Protected GSS-API Negotiation mechanism (SPNEGO) to extend the Kerberos-based
single sign-on authentication mechanism to HTTP. An administrator configures the web server (Drillbit) to use SPNEGO for
authentication. Depending on the system, either the administrator or the user configures the client (web browser or web
client tool) to use SPNEGO for authentication.

MapR-DB provides a highly scalable key-value database platform on which you can run SQL queries using Drill. As of the 6.0 release
of the MapR Converged Data Platform, MapR-DB natively supports indexes on secondary fields in JSON tables.

The following sections provide information and instructions for enabling and configuring
SSL:

Enabling SSL

When SSL is enabled, all Drill clients, such as JDBC and ODBC, must connect to Drill
servers using SSL. Enable SSL in the Drill startup configuration file, drill-override.conf,
located in /opt/mapr/drill/drill-<version>/conf.

To enable SSL for Drill, set the drill.exec.security.user.encryption.ssl.enabled
option in drill-override.conf to "true."

Configuring SSL

You can customize SSL on a Drillbit through the SSL configuration options. You can set the
options from the command-line (using Java system properties), in the drill-override.conf
file, or in the property file to which the Hadoop parameter hadoop.ssl.server.conf
points (recommended).

Note: Specifying values in drill-override.conf can expose
the security parameters to end users. Administrators should set these values in the Hadoop
security file and restrict permissions on that file.

If a parameter is specified in multiple places, the value in the Hadoop configuration takes
precedence over the Drill configuration, which takes precedence over the system
property.

The Hadoop configuration is specified in the file pointed to by the
hadoop.ssl.server.conf parameter in the Hadoop core-site.xml file.
Typically, this parameter points to $HADOOP_CONF/ssl-server.xml, which contains the property
names to configure SSL. Both the core-site.xml file and the ssl-server.xml file must exist
in Drill’s classpath. Drill’s SSL configuration picks up the Hadoop SSL
configuration.

Note: Since the Drillbit implementation is based on JSSE, several standard
parameters that apply to JSSE will also apply to the Drillbit, however you typically do
not need to configure JSSE parameters.

The following table lists the SSL configuration options with their descriptions and default
values:

Drill Property Name

Hadoop Property Name

System Property Name

Description

Allowed Values

Drill Default

drill.exec.security.user.encryption.ssl.enabled

Enable or disable TLS for Drill client - Drill Server
communication. You must set this option in drill-override.conf.

true,false

false

drill.exec.ssl.protocol

The version of the TLS protocol to use

TLS, TLSV1, TLSv1.1, TLSv1.2

TLSv1.2 (recommended)

drill.exec.ssl.keyStoreType

ssl.server.keystore.type

javax.net.ssl.keyStoreType

Format of the keystore file

jks, jceks, pkcs12

JKS

drill.exec.ssl.keyStorePath

ssl.server.keystore.location

javax.net.ssl.keyStore

Location of the Java keystore file containing the Drillbit’s own
certificate and private key. On Windows, the specified pathname must use forward
slashes, /, in place of backslashes.

drill.exec.ssl.keyStorePassword

ssl.server.keystore.password

javax.net.ssl.keyStorePassword

Password to access the private key from the keystore file. This
password is used twice: To unlock the keystore file (store password), and to
decrypt the private key stored in the keystore (key password) unless a key
password is specified separately.

drill.exec.ssl.keyPassword

ssl.server.keystore.keypassword

Password to access the private key from the keystore file. May be
different from the keystore password.

drill.exec.ssl.trustStoreType

ssl.server.truststore.type

javax.net.ssl.trustStoreType

Format of the truststore file

jks, jceks, pkcs12

JKS

drill.exec.ssl.trustStorePath

ssl.server.truststore.location

javax.net.ssl.trustStore

Location of the Java keystore file containing the collection of CA
certificates trusted by the Drill client. On Windows, the specified pathname must
use forward slashes, /, in place of backslashes.

Note: If the trustStorePath is not
provided, Drill ignores the trustStorePassword parameter and gets the default
Java truststore instead, which causes issues if the Java truststore has a
non-default password. The Java APIs to load the default keystore assume the
default password. The only way to use the default keystore with a non-default
password is to specify both the path and the password to the keystore. To work
around this issue, pass the default Java truststore to the trustStorePath
parameter.

drill.exec.ssl.trustStorePassword

ssl.server.truststore.password

javax.net.ssl.trustStorePassword

Password to access the private key from the keystore file specified
as the truststore.

drill.exec.ssl.provider

Changes the underlying implementation to the chosen value.

OPENSSL/JDK

default: JDK

drill.exec.ssl.useHadoopConfig

Use the setting in the hadoop configuration file.

The hadoop configuration is specified in the file pointed to by the
hadoop.ssl.server.conf parameter in the core-site.xml file. Typically, this
parameter points to $HADOOP_CONF/ssl-server.xml which contains the property
names to configure TLS.